The Klez-H or Klez-Gen Worm spreads via email. The email "Subject:" may contain the lines "A very funny website,1996 Microsoft Corporation,Hello, honey,Initing esdi,Editor of PC Magazine,Some questions,Telephone number or "Subject:Worm Klez-E Immunity"
The "Attachment Name:" is selected randomly but will end with extensions exe, src, pif or bat.
The worm may also send an additional document with extension txt, htm, html, wab, asp, doc, rtf, xls, jpg, cpp, c, pas, mpg, mpeg, bak, mp3 or pdf. This will result in the sending of private and confidential files to others.
- Boot up your computer with a clean DOS diskette from drive A. This is not an option as the active file is a hidden and read only file and Windows will not allow this file to be deleted
- Run Vbuster.Exe and get it to delete all occurances of the Worm
- Note the name of the Worm in Windows\System Subdirectory or Windows\System32 Subdirectory in Windows NT, 2000 and XP. You can see this in Vbuster.Log which will be created by Vbuster.Exe in the Root directory of your hard disk
- Start Windows and run Regedit.Exe
- Do a Search and look for HKLM\Software\Windows\CurrentVersion\Run\Filexxx where Filexxx is the name of the infected file in the Windows\System or Windows\System32 Subdirectory
- Delete the line after it is found